Whilst Zimbra 8.8 has just been released, we want to monitor it over the coming months to ensure stability. Once satisfied that it will be reliable we will upgrade to that version.We haven’t forgotten Zimbra001 and will contact customers on this server about moving users in the New Year.

We are seeing a significant rise in customers’ email accounts being used to distribute spam, having had their account credentials compromised.

In many cases this has been purely down to simple, fairly obvious, passwords being used. Would you believe that we have 276 mailboxes that use ‘password’ as their password? Or 73 with the password 123456?

It’s important for all our customers that we minimise the potential of our mail servers becoming blacklisted, so where patterns of outbound sending indicate a compromised mailbox and the distribution of spam, we will block the account from sending out any further email until the password is changed and a virus scan on the end users equipment performed if required.

This helps mitigate against blacklisting, but isn’t perfect by any means as it’s reactive in nature.

Whilst we can’t improve on the way we identify compromised mailboxes, we can improve the tools we give Partners to re-enable outbound SMTP immediately following a block.

Currently we send out an alert when an account is locked and rely on you contacting us to re-enable. Add to that, any blocking we’ve done has been at account level, rather than individual mailboxes, so one compromised mailbox can lead to outbound emails being blocked for the whole account.

As of Tuesday 27th June we are implementing a new process for dealing with compromised accounts:

Blocks can now be applied at individual mailbox level, rather than account level. This means that only the affected mailbox will be restricted from sending, rather than all users on that account.

Our systems will now automatically unlock any affected mailboxes once the user, or administrator, has changed the password.

Next Tuesday all mailboxes with passwords we deem to be easily compromised (for example, using part of the email address) will be blocked from sending outbound email until their password has been changed. This will only affect a relatively small proportion of our overall customer base, but needs to be implemented as the issue of compromised email boxes is on the rise.

We very much hope you’ll welcome the changes we’ve made which, as well as giving more control to customers in the event their email credentials are compromised, it also encourages everyone to think a little more seriously about the security of their email!

Starting on Mon 13th Feb, we will begin a series of Operating System upgrades to our Zimbra servers to onto the latest version of Linux in preparation for upgrading Zimbra to the latest version (8.7.1), the upgrades for which will follow a couple of weeks later.

This will, unfortunately, involve some downtime for each server and is not without its risks.

We anticipate that each server will be down for a period of up to 2 hours, but hoping to keep it to 30 minutes.

The planned schedule is as follows: Mon 13th 22:00 – zimbra004 Wed 15th 22:00 – zimbra003 Thu 16th 22:00 – zimbra002 As part of this work, we will be removing support for some weak or obsolete SSL ciphers to improve security levels.

A requirement of MessageBunker that we store the user’s credentials, encrypted of course, so that we can access their mailbox for archiving. Wherever possible, we look for alternative solutions that allow for improved security and privacy. Gmail offers one such solution.

MessageBunker can be granted a token by Gmail with the end-user’s permission, that needs refreshing hourly. This token can be used to log in. The process is known as ‘oAuth’ as is fairly common on the web, but this is the only implementation for IMAP that we are aware of.

When a user creates a new archive on MessageBunker, we send them to Google to give us permission to access their Gmail. We then get a confirmation back and a token we can use to log in.

The user does not need to reveal their password and can revoke our access to their Gmail account at any time, without the need to change their password, or alter any other systems that are accessing the account.

Following on from our announcement at the end of September regarding the new MessageBunker interface and initial running of old and new versions in parallel, we can announce that, as of today, the old site has now gone – to be completely replaced by the new one.

The development team have been beavering away over some hot code again and we’re delighted to announce the launch of a new and improved MessageBunker email archiving, compliance and discovery service.

The updated service provides a brand new web interface, with statistics/graphs, lots of new help files, enhanced search facilities and a host of other improvements. In addition there is an all-new mobile site for smartphones that can be set up as a web app. too.

To really experience the improvements we’ve made please take a look at new.messagebunker.com using your existing MessageBunker login credentials.